draft-ietf-mip6-auth-protocol-05.txt   draft-ietf-mip6-auth-protocol-06.txt 
Network Working Group A. Patel Network Working Group A. Patel
Internet-Draft K. Leung Internet-Draft K. Leung
Expires: February 23, 2006 Cisco Systems Expires: March 2, 2006 Cisco Systems
M. Khalil M. Khalil
H. Akhtar H. Akhtar
Nortel Networks Nortel Networks
K. Chowdhury K. Chowdhury
Starent Networks Starent Networks
August 22, 2005 August 29, 2005
Authentication Protocol for Mobile IPv6 Authentication Protocol for Mobile IPv6
draft-ietf-mip6-auth-protocol-05.txt draft-ietf-mip6-auth-protocol-06.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 39 skipping to change at page 1, line 39
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on February 23, 2006. This Internet-Draft will expire on March 2, 2006.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2005). Copyright (C) The Internet Society (2005).
Abstract Abstract
IPsec is specified as the sole means of securing all signaling IPsec is specified as the sole means of securing all signaling
messages between the Mobile Node and Home agent for Mobile IPv6. A messages between the Mobile Node and Home agent for Mobile IPv6. A
flexible model for security between the Mobile Node and Home Agent is flexible model for security between the Mobile Node and Home Agent is
skipping to change at page 2, line 28 skipping to change at page 2, line 28
5. Mobility message authentication option . . . . . . . . . . . . 7 5. Mobility message authentication option . . . . . . . . . . . . 7
5.1. MN-HA authentication mobility option . . . . . . . . . . . 8 5.1. MN-HA authentication mobility option . . . . . . . . . . . 8
5.1.1. Processing Considerations . . . . . . . . . . . . . . 9 5.1.1. Processing Considerations . . . . . . . . . . . . . . 9
5.2. MN-AAA authentication mobility option . . . . . . . . . . 10 5.2. MN-AAA authentication mobility option . . . . . . . . . . 10
5.2.1. Processing Considerations . . . . . . . . . . . . . . 10 5.2.1. Processing Considerations . . . . . . . . . . . . . . 10
5.3. Authentication Failure Detection at the Mobile Node . . . 11 5.3. Authentication Failure Detection at the Mobile Node . . . 11
6. Mobility message replay protection option . . . . . . . . . . 12 6. Mobility message replay protection option . . . . . . . . . . 12
7. Security Considerations . . . . . . . . . . . . . . . . . . . 15 7. Security Considerations . . . . . . . . . . . . . . . . . . . 15
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 17 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 17
10. Normative References . . . . . . . . . . . . . . . . . . . . . 17 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 18
10.1. Normative References . . . . . . . . . . . . . . . . . . . 18
10.2. Informative References . . . . . . . . . . . . . . . . . . 18
Appendix A. Rationale for mobility message replay protection Appendix A. Rationale for mobility message replay protection
option . . . . . . . . . . . . . . . . . . . . . . . 18 option . . . . . . . . . . . . . . . . . . . . . . . 19
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 19 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 20
Intellectual Property and Copyright Statements . . . . . . . . . . 21 Intellectual Property and Copyright Statements . . . . . . . . . . 22
1. Introduction 1. Introduction
The base Mobile IPv6 specification [RFC3775] specifies the signaling The base Mobile IPv6 specification [RFC3775] specifies the signaling
messages, Binding Update (BU) and Binding Acknowledgement (BA), messages, Binding Update (BU) and Binding Acknowledgement (BA),
between the Mobile Node and Home agent to be secured by the IPsec between the Mobile Node and Home agent to be secured by the IPsec
Security Associations (IPsec SAs) that are established between these Security Associations (IPsec SAs) that are established between these
two entities. two entities.
The draft draft-patil-mip6-whyauthdataoption-01.txt describes the The architecture of cdma2000 networks and the motivation of using the
architecture of cdma2000 networks and the motivation of using the authentication option for Mobile IP in that architecture is described
authentication option for Mobile IP in that architecture. in [whyauth].
This document proposes a solution for securing the Binding Update and This document proposes a solution for securing the Binding Update and
Binding Acknowledgment messages between the Mobile Node and Home Binding Acknowledgment messages between the Mobile Node and Home
agent using an authentication option which is included in these agent using an authentication option which is included in these
messages. Such a mechanism enables IPv6 mobility in a host without messages. Such a mechanism enables IPv6 mobility in a host without
having to establish an IPsec SA with its Home Agent. A Mobile Node having to establish an IPsec SA with its Home Agent. A Mobile Node
can implement Mobile IPv6 without having to integrate it with the can implement Mobile IPv6 without having to integrate it with the
IPsec module, in which case the Binding Update and Binding IPsec module, in which case the Binding Update and Binding
Acknowldegement messages (between MN-HA) are secured with the Acknowldegement messages (between MN-HA) are secured with the
authentication option. It does not imply that the availability of authentication option. It does not imply that the availability of
skipping to change at page 17, line 13 skipping to change at page 18, line 5
[RFC2434]. [RFC2434].
9. Acknowledgements 9. Acknowledgements
The authors would like to thank Basavaraj Patil, Charlie Perkins The authors would like to thank Basavaraj Patil, Charlie Perkins
Vijay Devarapalli and Jari Arkko for their thorough review and Vijay Devarapalli and Jari Arkko for their thorough review and
suggestions on the document. The authors would like to acknowledge suggestions on the document. The authors would like to acknowledge
the fact that a similar authentication method was considered in base the fact that a similar authentication method was considered in base
protocol [RFC3775] at one time. protocol [RFC3775] at one time.
10. Normative References 10. References
10.1. Normative References
[MN_Ident] [MN_Ident]
Patel et. al., A., "Mobile Node Identifier Option for Patel et. al., A., "Mobile Node Identifier Option for
Mobile IPv6", draft-ietf-mip6-mn-ident-option-03.txt (work Mobile IPv6", draft-ietf-mip6-mn-ident-option-03.txt (work
in progress), December 2004. in progress), December 2004.
[RFC1305] Mills, D., "Network Time Protocol (Version 3) [RFC1305] Mills, D., "Network Time Protocol (Version 3)
Specification, Implementation", RFC 1305, March 1992. Specification, Implementation", RFC 1305, March 1992.
[RFC2434] Narten, T. and H. Alvestrand, "Guidelines for Writing an [RFC2434] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 2434, IANA Considerations Section in RFCs", BCP 26, RFC 2434,
October 1998. October 1998.
[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
"Remote Authentication Dial In User Service (RADIUS)",
RFC 2865, June 2000.
[RFC3344] Perkins, C., "IP Mobility Support for IPv4", RFC 3344, [RFC3344] Perkins, C., "IP Mobility Support for IPv4", RFC 3344,
August 2002. August 2002.
[RFC3775] Johnson, D., Perkins, C., and J. Arkko, "Mobility Support [RFC3775] Johnson, D., Perkins, C., and J. Arkko, "Mobility Support
in IPv6", RFC 3775, June 2004. in IPv6", RFC 3775, June 2004.
10.2. Informative References
[whyauth] Patil et. al., B., "Why Authentication Data suboption is
needed for MIP6",
draft-patil-mip6-whyauthdataoption-01.txt (work in
progress), September 2005.
Appendix A. Rationale for mobility message replay protection option Appendix A. Rationale for mobility message replay protection option
Mobile IPv6 [RFC3775] defines a Sequence Number in the mobility Mobile IPv6 [RFC3775] defines a Sequence Number in the mobility
header to prevent replay attacks. There are two aspects that stand header to prevent replay attacks. There are two aspects that stand
out in regards to using the Sequence Number to prevent replay out in regards to using the Sequence Number to prevent replay
attacks. attacks.
Firstly, the specification states that Home Agent should accept a BU Firstly, the specification states that Home Agent should accept a BU
with a Sequence Number greater than the Sequence Number from previous with a Sequence Number greater than the Sequence Number from previous
Binding Update. This implicitly assumes that the Home Agent has some Binding Update. This implicitly assumes that the Home Agent has some
 End of changes. 

This html diff was produced by rfcdiff 1.25, available from http://www.levkowetz.com/ietf/tools/rfcdiff/